| /* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. |
| * Use of this source code is governed by a BSD-style license that can be |
| * found in the LICENSE file. |
| */ |
| |
| /* |
| * The general pattern of use here: |
| * 1) Construct a minijail with minijail_new() |
| * 2) Apply the desired restrictions to it |
| * 3) Enter it, which locks the current process inside it, or: |
| * 3) Run a process inside it |
| * 4) Destroy it. |
| */ |
| |
| #ifndef _LIBMINIJAIL_H_ |
| #define _LIBMINIJAIL_H_ |
| |
| #include <stdint.h> |
| #include <sys/resource.h> |
| #include <sys/types.h> |
| |
| /* |
| * Rust's bindgen needs the actual definition of sock_fprog in order to |
| * generate usable bindings. |
| */ |
| #ifdef USE_BINDGEN |
| #include <linux/filter.h> |
| #endif |
| |
| #ifdef __cplusplus |
| extern "C" { |
| #endif |
| |
| /* Possible exit status codes returned by minijail_wait(). */ |
| enum { |
| /* Command can be found but cannot be run */ |
| MINIJAIL_ERR_NO_ACCESS = 126, |
| |
| /* Command cannot be found */ |
| MINIJAIL_ERR_NO_COMMAND = 127, |
| |
| /* (MINIJAIL_ERR_SIG_BASE + n) if process killed by signal n != SIGSYS */ |
| MINIJAIL_ERR_SIG_BASE = 128, |
| |
| /* Cannot mount a file or folder in mount namespace */ |
| MINIJAIL_ERR_MOUNT = 251, |
| |
| MINIJAIL_ERR_PRELOAD = 252, |
| |
| /* Process killed by SIGSYS */ |
| MINIJAIL_ERR_JAIL = 253, |
| |
| MINIJAIL_ERR_INIT = 254, |
| }; |
| |
| struct minijail; |
| struct sock_fprog; |
| |
| /* |
| * A hook that can be used to execute code at various events during minijail |
| * setup in the forked process. These can only be used if the jailed process is |
| * not going to be invoked with LD_PRELOAD. |
| * |
| * If the return value is non-zero, it will be interpreted as -errno and the |
| * process will abort. |
| */ |
| typedef int (*minijail_hook_t)(void *context); |
| |
| /* |
| * The events during minijail setup in which hooks can run. All the events are |
| * run in the new process. |
| */ |
| typedef enum { |
| /* The hook will run just before dropping capabilities. */ |
| MINIJAIL_HOOK_EVENT_PRE_DROP_CAPS, |
| |
| /* The hook will run just before calling execve(2). */ |
| MINIJAIL_HOOK_EVENT_PRE_EXECVE, |
| |
| /* The hook will run just before calling chroot(2) / pivot_root(2). */ |
| MINIJAIL_HOOK_EVENT_PRE_CHROOT, |
| |
| /* Sentinel for error checking. Must be last. */ |
| MINIJAIL_HOOK_EVENT_MAX, |
| } minijail_hook_event_t; |
| |
| /* Allocates a new minijail with no restrictions. */ |
| struct minijail *minijail_new(void); |
| |
| /* |
| * These functions add restrictions to the minijail. They are not applied until |
| * minijail_enter() is called. See the documentation in minijail0.1 for |
| * explanations in detail of what the restrictions do. |
| */ |
| void minijail_change_uid(struct minijail *j, uid_t uid); |
| void minijail_change_gid(struct minijail *j, gid_t gid); |
| /* Copies |list|. */ |
| void minijail_set_supplementary_gids(struct minijail *j, size_t size, |
| const gid_t *list); |
| void minijail_keep_supplementary_gids(struct minijail *j); |
| /* Stores user to change to and copies |user| for internal consistency. */ |
| int minijail_change_user(struct minijail *j, const char *user); |
| /* Does not take ownership of |group|. */ |
| int minijail_change_group(struct minijail *j, const char *group); |
| void minijail_use_seccomp(struct minijail *j); |
| void minijail_no_new_privs(struct minijail *j); |
| void minijail_use_seccomp_filter(struct minijail *j); |
| void minijail_set_seccomp_filter_tsync(struct minijail *j); |
| /* |
| * Allow speculative execution features that may cause data leaks across |
| * processes, by setting the SECCOMP_FILTER_FLAG_SPEC_ALLOW seccomp flag. |
| * |
| * WARNING: Enabling this may make the process vulnerable to speculative |
| * execution attacks (Branch Target Injection, and Speculative Store Bypass). |
| * This is only safe to use for processes that do not execute untrusted code. |
| */ |
| void minijail_set_seccomp_filter_allow_speculation(struct minijail *j); |
| /* Does not take ownership of |filter|. */ |
| void minijail_set_seccomp_filters(struct minijail *j, |
| const struct sock_fprog *filter); |
| void minijail_parse_seccomp_filters(struct minijail *j, const char *path); |
| void minijail_parse_seccomp_filters_from_fd(struct minijail *j, int fd); |
| void minijail_log_seccomp_filter_failures(struct minijail *j); |
| /* 'minijail_use_caps' and 'minijail_capbset_drop' are mutually exclusive. */ |
| void minijail_use_caps(struct minijail *j, uint64_t capmask); |
| void minijail_capbset_drop(struct minijail *j, uint64_t capmask); |
| /* 'minijail_set_ambient_caps' requires 'minijail_use_caps'. */ |
| void minijail_set_ambient_caps(struct minijail *j); |
| void minijail_reset_signal_mask(struct minijail *j); |
| void minijail_reset_signal_handlers(struct minijail *j); |
| void minijail_namespace_vfs(struct minijail *j); |
| void minijail_namespace_enter_vfs(struct minijail *j, const char *ns_path); |
| void minijail_new_session_keyring(struct minijail *j); |
| void minijail_skip_setting_securebits(struct minijail *j, |
| uint64_t securebits_skip_mask); |
| |
| /* |
| * This option is *dangerous* as it negates most of the functionality of |
| * minijail_namespace_vfs(). You very likely don't need this. |
| */ |
| void minijail_skip_remount_private(struct minijail *j); |
| void minijail_remount_mode(struct minijail *j, unsigned long mode); |
| void minijail_namespace_ipc(struct minijail *j); |
| void minijail_namespace_uts(struct minijail *j); |
| int minijail_namespace_set_hostname(struct minijail *j, const char *name); |
| void minijail_namespace_net(struct minijail *j); |
| void minijail_namespace_enter_net(struct minijail *j, const char *ns_path); |
| void minijail_namespace_cgroups(struct minijail *j); |
| /* Closes all open file descriptors after forking. */ |
| void minijail_close_open_fds(struct minijail *j); |
| /* |
| * Implies namespace_vfs and remount_proc_readonly. |
| * WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>. |
| */ |
| void minijail_namespace_pids(struct minijail *j); |
| /* |
| * Implies namespace_vfs. |
| * WARNING: this is NOT THREAD SAFE. See the block comment in </libminijail.c>. |
| * Minijail will by default remount /proc read-only when using a PID namespace. |
| * Certain complex applications expect to be able to do their own sandboxing |
| * which might require writing to /proc, so support a weaker version of PID |
| * namespacing with a RW /proc. |
| */ |
| void minijail_namespace_pids_rw_proc(struct minijail *j); |
| void minijail_namespace_user(struct minijail *j); |
| void minijail_namespace_user_disable_setgroups(struct minijail *j); |
| int minijail_uidmap(struct minijail *j, const char *uidmap); |
| int minijail_gidmap(struct minijail *j, const char *gidmap); |
| void minijail_remount_proc_readonly(struct minijail *j); |
| void minijail_run_as_init(struct minijail *j); |
| int minijail_write_pid_file(struct minijail *j, const char *path); |
| void minijail_inherit_usergroups(struct minijail *j); |
| /* |
| * Changes the jailed process's syscall table to the alt_syscall table |
| * named |table|. |
| */ |
| int minijail_use_alt_syscall(struct minijail *j, const char *table); |
| |
| /* Sets the given runtime limit. See getrlimit(2). */ |
| int minijail_rlimit(struct minijail *j, int type, rlim_t cur, rlim_t max); |
| |
| /* |
| * Adds the jailed process to the cgroup given by |path|. |path| should be the |
| * full path to the cgroups "tasks" file. |
| * Example: /sys/fs/cgroup/cpu/jailed_procs/tasks adds to the "jailed_procs" cpu |
| * cgroup. |
| */ |
| int minijail_add_to_cgroup(struct minijail *j, const char *path); |
| |
| /* |
| * Install signal handlers in the minijail process that forward received |
| * signals to the jailed child process. |
| */ |
| int minijail_forward_signals(struct minijail *j); |
| |
| /* The jailed child process should call setsid() to create a new session. */ |
| int minijail_create_session(struct minijail *j); |
| |
| /* |
| * minijail_enter_chroot: enables chroot() restriction for @j |
| * @j minijail to apply restriction to |
| * @dir directory to chroot() to. Owned by caller. |
| * |
| * Enters @dir, binding all bind mounts specified with minijail_bind() into |
| * place. Requires @dir to contain all necessary directories for bind mounts |
| * (i.e., if you have requested a bind mount at /etc, /etc must exist in @dir.) |
| * |
| * Returns 0 on success. |
| */ |
| int minijail_enter_chroot(struct minijail *j, const char *dir); |
| int minijail_enter_pivot_root(struct minijail *j, const char *dir); |
| |
| /* |
| * minijail_get_original_path: returns the path of a given file outside of the |
| * chroot. |
| * @j minijail to obtain the path from. |
| * @chroot_path path inside of the chroot() to. |
| * |
| * When executing a binary in a chroot or pivot_root, return path to the binary |
| * outside of the chroot. |
| * |
| * Returns a string containing the path. This must be freed by the caller. |
| */ |
| char *minijail_get_original_path(struct minijail *j, const char *chroot_path); |
| |
| /* |
| * minijail_mount_tmp: enables mounting of a 64M tmpfs filesystem on /tmp. |
| * As be rules of bind mounts, /tmp must exist in chroot. |
| */ |
| void minijail_mount_tmp(struct minijail *j); |
| |
| /* |
| * minijail_mount_tmp_size: enables mounting of a tmpfs filesystem on /tmp. |
| * As be rules of bind mounts, /tmp must exist in chroot. Size is in bytes. |
| */ |
| void minijail_mount_tmp_size(struct minijail *j, size_t size); |
| |
| /* |
| * minijail_mount_dev: enables mounting of a tmpfs filesystem on /dev. |
| * It will then be seeded with a basic set of device nodes. For the exact |
| * list, consult the minijail(0) man page. |
| */ |
| void minijail_mount_dev(struct minijail *j); |
| |
| /* |
| * minijail_mount_with_data: when entering minijail @j, |
| * mounts @src at @dst with @flags and @data. |
| * @j minijail to bind inside |
| * @src source to bind |
| * @dest location to bind (inside chroot) |
| * @type type of filesystem |
| * @flags flags passed to mount |
| * @data data arguments passed to mount(2), e.g. "mode=755" |
| * |
| * This may be called multiple times; all mounts will be applied in the order |
| * of minijail_mount() calls. |
| * If @flags is 0, then MS_NODEV | MS_NOEXEC | MS_NOSUID will be used instead. |
| * If @data is NULL or "", and @type is tmpfs, then "mode=0755,size=10M" will |
| * be used instead. |
| */ |
| int minijail_mount_with_data(struct minijail *j, const char *src, |
| const char *dest, const char *type, |
| unsigned long flags, const char *data); |
| |
| /* |
| * minijail_mount: when entering minijail @j, mounts @src at @dst with @flags |
| * @j minijail to bind inside |
| * @src source to bind |
| * @dest location to bind (inside chroot) |
| * @type type of filesystem |
| * @flags flags passed to mount |
| * |
| * This may be called multiple times; all mounts will be applied in the order |
| * of minijail_mount() calls. |
| */ |
| int minijail_mount(struct minijail *j, const char *src, const char *dest, |
| const char *type, unsigned long flags); |
| |
| /* |
| * minijail_bind: bind-mounts @src into @j as @dest, optionally writeable |
| * @j minijail to bind inside |
| * @src source to bind |
| * @dest location to bind (inside chroot) |
| * @writeable 1 if the bind mount should be writeable |
| * |
| * This may be called multiple times; all bindings will be applied in the order |
| * of minijail_bind() calls. |
| */ |
| int minijail_bind(struct minijail *j, const char *src, const char *dest, |
| int writeable); |
| |
| /* |
| * minijail_add_remount: when entering minijail @j, remounts @mount_name and all |
| * subdirectories as @remount_mode rather than the default MS_PRIVATE |
| * @j minijail to bind inside |
| * @mount_name mount to remount |
| * @remount_mode remount mode to use |
| * |
| * This may be called multiple times; this overrides |j->remount_mode| for the |
| * given mount. |
| */ |
| int minijail_add_remount(struct minijail *j, const char *mount_name, |
| unsigned long remount_mode); |
| /* |
| * minijail_add_hook: adds @hook to the list of hooks that will be |
| * invoked when @event is reached during minijail setup. The caller is |
| * responsible for the lifetime of @payload. |
| * @j minijail to add the hook to |
| * @hook the function that will be invoked |
| * @payload an opaque pointer |
| * @event the event that will trigger the hook |
| */ |
| int minijail_add_hook(struct minijail *j, |
| minijail_hook_t hook, void *payload, |
| minijail_hook_event_t event); |
| |
| /* |
| * minijail_preserve_fd: preserves @parent_fd and makes it available as |
| * @child_fd in the child process. @parent_fd will be closed if no other |
| * redirect has claimed it as a @child_fd. This works even if |
| * minijail_close_open_fds() is invoked. |
| * @j minijail to add the fd to |
| * @parent_fd the fd in the parent process |
| * @child_fd the fd that will be available in the child process |
| */ |
| int minijail_preserve_fd(struct minijail *j, int parent_fd, int child_fd); |
| |
| /* |
| * minijail_set_preload_path: overrides the default path for |
| * libminijailpreload.so. |
| */ |
| int minijail_set_preload_path(struct minijail *j, const char *preload_path); |
| |
| /* |
| * Lock this process into the given minijail. Note that this procedure cannot |
| * fail, since there is no way to undo privilege-dropping; therefore, if any |
| * part of the privilege-drop fails, minijail_enter() will abort the entire |
| * process. |
| * |
| * Some restrictions cannot be enabled this way (pid namespaces) and attempting |
| * to do so will cause an abort. |
| */ |
| void minijail_enter(const struct minijail *j); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * If minijail_namespace_pids() or minijail_namespace_user() are used, |
| * this or minijail_fork() is required instead of minijail_enter(). |
| */ |
| int minijail_run(struct minijail *j, const char *filename, |
| char *const argv[]); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Don't use LD_PRELOAD to do privilege dropping. This is useful when sandboxing |
| * static binaries, or on systems without support for LD_PRELOAD. |
| */ |
| int minijail_run_no_preload(struct minijail *j, const char *filename, |
| char *const argv[]); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Update |*pchild_pid| with the pid of the child. |
| */ |
| int minijail_run_pid(struct minijail *j, const char *filename, |
| char *const argv[], pid_t *pchild_pid); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Update |*pstdin_fd| with a fd that allows writing to the child's |
| * standard input. |
| */ |
| int minijail_run_pipe(struct minijail *j, const char *filename, |
| char *const argv[], int *pstdin_fd); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Update |*pchild_pid| with the pid of the child. |
| * Update |*pstdin_fd| with a fd that allows writing to the child's |
| * standard input. |
| * Update |*pstdout_fd| with a fd that allows reading from the child's |
| * standard output. |
| * Update |*pstderr_fd| with a fd that allows reading from the child's |
| * standard error. |
| */ |
| int minijail_run_pid_pipes(struct minijail *j, const char *filename, |
| char *const argv[], pid_t *pchild_pid, |
| int *pstdin_fd, int *pstdout_fd, int *pstderr_fd); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Pass |envp| as the full environment for the child. |
| * Update |*pchild_pid| with the pid of the child. |
| * Update |*pstdin_fd| with a fd that allows writing to the child's |
| * standard input. |
| * Update |*pstdout_fd| with a fd that allows reading from the child's |
| * standard output. |
| * Update |*pstderr_fd| with a fd that allows reading from the child's |
| * standard error. |
| */ |
| int minijail_run_env_pid_pipes(struct minijail *j, const char *filename, |
| char *const argv[], char *const envp[], |
| pid_t *pchild_pid, int *pstdin_fd, |
| int *pstdout_fd, int *pstderr_fd); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Update |*pchild_pid| with the pid of the child. |
| * Update |*pstdin_fd| with a fd that allows writing to the child's |
| * standard input. |
| * Update |*pstdout_fd| with a fd that allows reading from the child's |
| * standard output. |
| * Update |*pstderr_fd| with a fd that allows reading from the child's |
| * standard error. |
| * Don't use LD_PRELOAD to do privilege dropping. This is useful when sandboxing |
| * static binaries, or on systems without support for LD_PRELOAD. |
| */ |
| int minijail_run_pid_pipes_no_preload(struct minijail *j, const char *filename, |
| char *const argv[], pid_t *pchild_pid, |
| int *pstdin_fd, int *pstdout_fd, |
| int *pstderr_fd); |
| |
| /* |
| * Run the specified command in the given minijail, execve(2)-style. |
| * Pass |envp| as the full environment for the child. |
| * Update |*pchild_pid| with the pid of the child. |
| * Update |*pstdin_fd| with a fd that allows writing to the child's |
| * standard input. |
| * Update |*pstdout_fd| with a fd that allows reading from the child's |
| * standard output. |
| * Update |*pstderr_fd| with a fd that allows reading from the child's |
| * standard error. |
| * Don't use LD_PRELOAD to do privilege dropping. This is useful when sandboxing |
| * static binaries, or on systems without support for LD_PRELOAD. |
| */ |
| int minijail_run_env_pid_pipes_no_preload(struct minijail *j, |
| const char *filename, |
| char *const argv[], |
| char *const envp[], pid_t *pchild_pid, |
| int *pstdin_fd, int *pstdout_fd, |
| int *pstderr_fd); |
| |
| /* |
| * Fork, jail the child, and return. This behaves similar to fork(2), except it |
| * puts the child process in a jail before returning. |
| * `minijail_fork` returns in both the parent and the child. The pid of the |
| * child is returned to the parent. Zero is returned in the child. LD_PRELOAD |
| * is not supported. |
| * If minijail_namespace_pids() or minijail_namespace_user() are used, |
| * this or minijail_run*() is required instead of minijail_enter(). |
| */ |
| pid_t minijail_fork(struct minijail *j); |
| |
| /* |
| * Send SIGTERM to the process in the minijail and wait for it to terminate. |
| * |
| * Return the same nonnegative exit status as minijail_wait(), or a negative |
| * error code (eg -ESRCH if the process has already been waited for). |
| * |
| * This is most useful if the minijail has been created with PID namespacing |
| * since, in this case, all processes inside it are atomically killed. |
| */ |
| int minijail_kill(struct minijail *j); |
| |
| /* |
| * Wait for the first process spawned in the specified minijail to exit, and |
| * return its exit status. A process can only be waited once. |
| * |
| * Return: |
| * A negative error code if the process cannot be waited for (eg -ECHILD if no |
| * process has been started or if the process has already been waited for). |
| * MINIJAIL_ERR_NO_COMMAND if command cannot be found. |
| * MINIJAIL_ERR_NO_ACCESS if command cannot be run. |
| * MINIJAIL_ERR_JAIL if process was killed by SIGSYS. |
| * (MINIJAIL_ERR_SIG_BASE + n) if process was killed by signal n != SIGSYS. |
| * (n & 0xFF) if process finished by returning code n. |
| */ |
| int minijail_wait(struct minijail *j); |
| |
| /* |
| * Frees the given minijail. It does not matter if the process is inside the |
| * minijail or not. |
| */ |
| void minijail_destroy(struct minijail *j); |
| |
| /* |
| * minijail_log_to_fd: redirects the module-wide logging to an FD instead of |
| * syslog. |
| * @fd FD to log to. Caller must ensure this is available after |
| * jailing (e.g. with minijail_preserve_fd()). |
| * @min_priority the minimum logging priority. Same as the priority argument |
| * to syslog(2). |
| */ |
| void minijail_log_to_fd(int fd, int min_priority); |
| |
| #ifdef __cplusplus |
| } /* extern "C" */ |
| #endif |
| |
| #endif /* !_LIBMINIJAIL_H_ */ |